Author: Dea Dragashi - Page 2 - Harbottle & Lewis

Model Behaviour: Stability AI’s model is not an “infringing copy”, but legality of AI training remains unresolved

Posted on November 7, 2025November 7, 2025 by Dea Dragashi

In the recent judgment in Getty Images v Stability AI [2025] EWHC 2863 (Ch), the High Court considered whether the generative AI model Stable Diffusion infringed copyright in works owned by/licensed to Getty Images, and further whether the model outputs infringed Getty Images’ trade marks. Getty argued that millions of its images had been used without permission to train the Stable Diffusion model, and that the model itself was therefore an infringing copy of the works.

Crucially, the court was not considering whether copyright was infringed during the training process of Stable Diffusion, as those claims were not pursued to trial by Getty due to a lack of evidence of training having been taken place in the UK. Instead, the High Court decided on the much narrower issue of whether the trained Stable Diffusion model is itself an “infringing copy” of the copyright works trained on. If the model was an infringing copy, under secondary copyright infringement law, its import into the UK would have infringed Getty’s copyright, even though the model had not been trained in the UK.

The High Court’s decision came down to the way in which Stable Diffusion was trained, and the relationship between the model and its training data. Stable Diffusion is a diffusion model, meaning its model weights are numerical parameters learned from training, not stored or compressed copies of its training data. The model does not contain any of Getty’s copyright images in any form whatsoever – and never has done – even though it may have been exposed to them during training. Getty’s secondary copyright claim failed as a result.

Although Getty lost its secondary copyright infringement claim, this was a highly fact-specific decision which related to this model of Stable Diffusion only. The High Court stressed this in its decision. Although it may be true that an “AI model which does not store or reproduce any copyright works (and has never done so) is not an “infringing copy””, this leaves the door open for an AI model that does store or reproduce copyright works (or has done so at some point) being found to be an infringing copy of its training data. Other model architectures that retain or reproduce their training data verbatim – which is more common for text models than image models like Stable Diffusion – may still be deemed infringing copies. In addition, there is scope for argument on whether a more liberal interpretation of what is an infringing copy should be adopted: in circumstances where the model has extracted the value and intellectual creation of copyright works, and in a manner that was not envisaged when the legislation was passed, why is this not reproduction of the underlying intellectual creation?

Further, as Getty dropped its training claims at trial, the UK courts are yet to decide on whether the training of AI models using copyright works in the UK infringes copyright. That question will need to be decided in a future claim involving an AI model that was trained (or at least partially trained) in the UK.

On the trade mark infringement claim, the court made a limited finding of trade mark infringement where early model versions of Stable Diffusion produced outputs with Getty-style watermarks.

If you’d like to speak to a member of the team about any of the issues raised by the judgment, please reach out to one of our AI experts.

Harbottle & Lewis advises Lumina Media on its investment in Arcade Media

Posted on October 21, 2025October 21, 2025 by Dea Dragashi

We have advised Lumina Media on its strategic investment in Arcade Media, a London-based talent management agency representing some of the UK’s top content creators.

Thomas Benski’s Lumina Media, a London-based IP-led media and venture group, provides creative, operational and strategic support to its portfolio of companies and talent, helping them build brands and produce content. The investment aligns with Lumina’s strategy of supporting next-generation companies at the intersection of digital media and entertainment.

Founded in 2021, Arcade Media has established itself as a premier talent management agency, helping content creators grow their brands, secure partnerships and develop original content and experiences that bridge the gap between digital talent and mainstream entertainment. The agency is best known as the exclusive management partner for The Sidemen, one of Europe’s largest YouTube collectives.

The transaction demonstrates the continued growth and maturation of the digital content creator economy, as traditional media and venture capital increasingly recognise the value and commercial potential of digital talent and their audiences.

Tim O’Shea, Lumina Media’s Group Director of Commercial and Business Affairs, noted:

“Harbottle & Lewis’s understanding of the media landscape and the nuances of creative businesses make them invaluable advisors. Their support on this investment was seamless, strategic, and effectively aligned with how we operate.”

Tim Parker, partner at Harbottle & Lewis, commented:

“We are delighted to have advised Lumina Media on this exciting investment. Arcade Media represents the future of talent management in the digital age, and we look forward to seeing how this partnership will help accelerate their growth and expand their influence in the creator economy.”

This investment adds to our extensive track record of advising on media and technology transactions, reinforcing the firm’s position as the go-to legal adviser for innovative companies in the media, entertainment and technology sectors.

Our transaction team was led by partner Tim Parker and managing associate Rosie Marston, with support from associate Jake Jacobson.

Three recognised as Rising Stars by IP Stars

Posted on October 2, 2025October 2, 2025 by Dea Dragashi

Three of our managing associates have been recognised as Rising Stars in the IP Stars 2025 rankings.

Zoey Forbes, Clare McGarry, and Sam Purkiss have been named as Rising Stars, an accolade which recognises the best up-and-coming intellectual property practitioners in private practice who have contributed to the success of their firms and clients.

IP Stars, part of the Managing IP media group, is a specialist guide covering legal practitioners who deal with contentious and non-contentious intellectual property issues. Its rankings assess and rank law firms and practitioners globally in a range of IP practice areas.

Click here to view the full list of practitioners on the IP Stars website.

Finalist for Family Law Firm of the Year

Posted on August 28, 2025August 28, 2025 by Dea Dragashi

We have been named as a finalist for Family Law Firm of the Year at the LexisNexis Family Law Awards 2025.

The awards seek to recognise the work of family lawyers and celebrate their successes and achievements. The Family Law Firm of the Year category recognises firms that have delivered outstanding quality of legal service for their clients and displayed high levels of teamwork with external lawyers and/or other third parties.

The winners will be announced at the awards ceremony on Wednesday 19 November at the Park Plaza Westminster Bridge, London.

To read more about the awards, including the full list of nominees, click here.

Five partners recognised as leading family lawyers by Spear’s

Posted on June 25, 2025June 25, 2025 by Dea Dragashi

Five of our partners have been recommended by Spear’s as leading family lawyers for HNW and UHNW individuals in the 2025 Spear’s family law index which was published today.

Senior partner Catherine Bedford has once again been recognised as Top Flight, Nicholas Westley and Mark Irving are Top Recommended whilst Lidia Cantele and Alex Ward have been given Recommended rankings. The index recognises the leading family lawyers advising on high value divorces, cohabitation disputes, child custody, nuptial agreements and mediation and is compiled using extensive data from advisers themselves, as well as submission forms, nominations, peer reviews, data from third-party sources, references, recommendations and hundreds of interviews.

You can see the index in full here.

Harbottle & Lewis advises PlaySafe ID on pre-seed fundraising

Posted on June 23, 2025June 23, 2025 by Dea Dragashi

We have advised PlaySafe ID, a digital identity platform designed to improve safety and accountability in online gaming, on its $1.12 million pre-seed fundraising led by Early Game Ventures with participation from Hartmann Capital and Overwolf.

Founded by Andrew Wailes, PlaySafe ID is currently in talks with several major gaming platforms and is aiming to announce its first partnerships later this year.

Our team was led by partner Ed Lane with support from associate Matthew Shannon.

On working with Harbottle & Lewis, founder Andrew Wailes commented: “I cannot express how happy I am with the work that Harbottle & Lewis undertook for us. The expertise and guidance in particular from Ed Lane and Matthew Shannon was critical in securing our funding in the right way, to protect both us and our investors. The team have been prompt, and provided assistance whenever we needed it. I would gladly recommend them.”

Ed Lane added: “We are delighted to have supported Andrew and his team on this initial fundraise, and we look forward to seeing PlaySafe ID go from strength to strength as it scales.”

The Data (Use and Access) Act receives Royal Assent, bringing change to the UK’s data protection regime

Posted on June 20, 2025June 20, 2025 by Dea Dragashi

On 19 June 2025, the UK’s Data (Use and Access) Act 2025 (the “DUA Act”) received Royal Assent.

This new legislation updates the UK’s current data protection regime which comprises of the UK General Data Protection Regulation (the “UK GDPR”), the Data Protection Act 2018 and the Privacy and Electronic Communications Regulations (the “PECR”). The DUA Act will come into force in phases, expected to commence at two, six and twelve months after Royal Assent, giving you time to implement the necessary data protection related changes to your organisation.

What does the DUA Act change and how does it impact organisations?

New ‘recognised legitimate interests’ lawful basis: when you use personal data for legitimate interests, you need to balance the impact on the people whose personal data you use, against the benefits arising from that use – this is commonly done by way of a legitimate interest assessment (“LIA”). However, the DUA Act now includes a list of recognised legitimate interests which means for such interests you don’t need to complete an LIA. This list will be in Schedule 4 to the DUA Act which inserts a new annex to the UK GDPR and includes interests such as:

Sharing personal data if a public authority confirms it’s needed for their public task
Using personal data to safeguard national security, public security, or defence
Using personal data to respond to emergencies under the Civil Contingencies Act 2004
Using personal data to detect, investigate, prevent crime, or prosecute offenders
Using personal data to protect vulnerable individuals from physical, mental and emotional harm or neglect and support their well-being

A new ‘assumption of compatibility’: under the purpose limitation principle, if you re-use personal data you have already collected for a different purpose, you must ensure the new purpose is compatible with the purpose you initially collected it for. However, the DUA Act now includes a list of reuses of personal data that are assumed compatible with the original purpose. This list will be in Schedule 5 to the DUA Act which inserts a new annex to the UK GDPR. You can reuse previously consented personal data for a new purpose if necessary for one of the reasons below, but only if it’s not reasonable to obtain fresh consent, such as using personal data to:

assess or collect taxes or duties; or
comply with legal requirements.

‘Soft opt in’ for charities: if you’re a charity, it allows you to send electronic mail and SMS marketing to people whose personal data you collect when they support, or offer support or express an interest in, your work – providing you offered them a chance to opt out when you collected their personal data and you provide them with a chance to opt out in every electronic communication thereafter.

New cookie exemptions: the DUA Act allows you to set some types of cookies without having to get consent. Currently, you must get consent for all non-strictly necessary cookies. The list of exemptions will be in Schedule 12 to the DUA Act which inserts a new schedule to PECR, so you won’t need consent where the cookie or similar technology is for:

the sole purpose of carrying out transmission of a communication over an electronic communications network;
the non-exhaustive examples of strictly necessary purposes listed in the schedule, including security, fraud prevention, fault detection and authentication;
the sole purpose of enabling a service provider to collect information for statistical purposes about how their online service is used;
the sole purpose of enabling a service to adapt its appearance or functions in accordance with someone’s preferences; and
the sole purpose of working out the subscriber or user’s geographical location when they request emergency assistance.

Reasonable and proportional search under data subject access requests (DSARs): it makes it clear that you only have to make reasonable and proportionate searches when someone asks for access to their personal data.

Complaints: individuals have certain rights such as the right to be informed, access, object, erase, restrict and rectify their personal data. The DUA Act introduces a right for people to complain to organisations and competent authorities if they think that they’ve used their personal information in a way that doesn’t comply with the law. This is similar to the complaints procedure under Freedom of Information Requests under FOIR. It places an obligation on organisations and competent authorities to:

help people to make complaints, requiring them to take steps such as providing an electronic complaints form; and
acknowledge complaints within 30 days and advise the complainant of the outcome without undue delay.

They must also take appropriate steps in the meantime, such as making enquiries into the subject matter of the complaint and keeping the complainant informed about progress.

Using personal data for scientific research: the DUA Act makes it clearer when you can use personal data for the purposes of scientific research, including commercial scientific research. It makes the following clarifications:

People can give “broad consent” to an “area of scientific research” rather than “specific” consent – as long as: the exact purpose was unknown at the time of consent, the consent aligns with recognised ethical standards for the research area, and individuals are given the option to consent to only part of the processing.
You can re-use people’s personal data for scientific research without giving them a privacy notice, if that would involve a disproportionate effort, so long as you protect their rights in other ways and still explain what you’re doing by publishing the notice on your website.

Automated decision making – personal data: previously, decisions based solely on automated processing of personal data were restricted unless they were necessary for a contract between you and the individual, permitted by UK law or done with consent from the individual. Now, the DUA Act removes this restriction and allows an organisation to make solely automated decisions in a wider range of situations as long as it has appropriate safeguards in place – such safeguards include:

providing the individual with information about the decision;
allowing that person to make representations about the decision;
enabling that person to obtain human intervention about the decision; and
enabling that person to contest the decision.

There is no change to the restrictions around decision based solely on automated processing of special categories of personal data – they are still restricted unless you have consent from the individual or it was necessary for substantial public interest under the Data Protection Act 2018.

International transfers: various changes have been made to help make transferring personal data internationally easier. For example:

The protection standard for transferring data now requires that it “is not materially lower” than UK GDPR and Data Protection Act 2018 standards (previously, it required that “the protection of natural persons guaranteed by the UK GDPR is not undermined”). This is referred to as the data protection test.
Schedule 7 of the DUA Act form formalises the requirement for an organisation to do a transfer risk assessment for transfers subject to appropriate safeguards (such as standard contractual clauses). It does this by saying that an organisation must meet the data protection test “reasonably and proportionately”.

There are some operational and terminology changes such as: adequacy decisions are now called “transfers approved by regulations”, with the Secretary of State required to consider specific factors for the data protection test, implement ongoing monitoring instead of a four-year review period, gain new powers to recognise and introduce other transfer mechanisms, and make minor adjustments and restructuring to existing transfer requirements.

PECR breaches and enforcement: there are changes to the rules under PECR, including:

the time period within which communications providers need to inform the ICO of a personal data breach from without undue delay or within 24 hours, to ”without undue delay and where feasible, not later than 72 hours after having become aware of it”, aligning it with the UK GDPR requirement to report a personal data breach;
removing the requirement to establish that a contravention under PECR has caused substantial damage and distress; and
allowing the ICO to impose monetary penalties up to a maximum of £17.5m for certain failures to comply, aligning it with the UK GDPR monetary penalty cap.

Changes to the ICO: there are multiple changes around the structure and powers of the UK’s data protection regulator, the Information Commissioner’s Office, such as:

The ICO can compel individuals working for or on behalf of organisations to attend interviews and answer questions if there is suspected non-compliance or an offence under data protection law.
An extension to the time for the ICO to issue penalty notices after a notice of intent from six months to six months or as soon as reasonably practicable.

Are there any new compliance requirements you have to meet?

Yes:

If you provide an online service that is likely to be used by children, the DUA Act explicitly requires you to take their needs into account when you decide how to use their personal information. You should already satisfy this requirement if you conform to the ICO’s Age Appropriate Design Code.
If you don’t already do so, the DUA Act requires you to take steps to help people who want to make complaints about how you use their personal data, such as providing an electronic complaints form. You must to acknowledge complaints within 30 days and respond to them ‘without undue delay’.

Next steps

Familiarise yourself with the changes that the DUA Act makes to data protection laws.
Map out how the DUA Act can make your organisations compliance with data protection laws easier – such as “should do” and “must do” lists.
Introduce a complaints escalation mechanism to allow individuals to complain to your organisation if they feel that the organisation has not complied with data protection laws.
Implement a data protection compliance programme accordingly.

If you would like more information, please feel free to reach out to one of our dedicated data protection lawyers, or if you would like keep up to date on the latest in data protection, please subscribe to our quarterly newsletter, The Data Download.

Harbottle & Lewis advises on the sale of performance-io to private equity firm Apiary Capital

Posted on June 19, 2025June 19, 2025 by Dea Dragashi

We have advised the sellers of performance-io, a leading life sciences performance marketing, SEO and GEO agency, on its sale to private equity firm, Apiary Capital.

Founded to deliver cutting-edge performance marketing solutions, performance-io has established itself as a key player in the industry, working with clients to enhance their marketing strategies through data-driven insights and expertise. Headquartered in London, the business now operates globally with teams in the UK, US, India, Japan and South Africa.

Founder and CEO Matt Lowe and his senior management team will remain with the business, focusing on driving performance-io’s further growth and development.

Our team was led by partner Ed Lane, with support from senior associate Alex Gays, and associates Elizabeth Compton and David Jones. Co-managing partner Tony Littner provided strategic support throughout, with partner David Scott advising on corporate tax matters. Partner Yvonne Gallagher and associate Harry Wade also advised on employment matters.

On working with Harbottle & Lewis, Matt Lowe commented: “I’d not worked with lawyers on a PE backed deal before, and frankly the mood music about the experience wasn’t great. However, the experience with Harbottle and Lewis was. From the first meeting with Tony and Ed, through to working with the broader team through some complex curve balls, we had a superb experience; working in a collaborative manner, learning loads and always with a calming, assured temperament. I can’t recommend H&L enough.”

Ed Lane added: “We are delighted to have supported Matt and his team on this milestone, and we look forward to seeing performance-io’s continued success in its partnership with Apiary Capital.”

Harbottle & Lewis launches dedicated hub for startups

Posted on June 18, 2025June 27, 2025 by Dea Dragashi

We are pleased to introduce The Vault, our startup portal designed specifically for founders and emerging companies.

The Vault offers a range of resources, carefully crafted to support startups. Understanding the financial constraints and resource limitations that many startups encounter, a core element of The Vault is the document hub. This offers a suite of template documents for founders, available for free download.

Commenting on The Vault, Tom Macleod, partner and co-head of the venture capital and emerging companies practice, said: “We are delighted to introduce The Vault. We understand the unique challenges faced by early stage founders; The Vault is designed to provide accessible resources and practical insights that can make a real difference to their journey.”

Register for The Vault

For further information contact us at: [email protected]

The UK’s Data (Use and Access) Bill passes as Lords’ concede on a push for AI transparency to protect creative industries

Posted on June 12, 2025June 12, 2025 by Dea Dragashi

On 11 June, the House of Lords debated amendments to the Data (Use and Access) Bill (the Bill) and marked the culmination of an extensive “ping-pong” process between the House of Lords and the House of Commons regarding the protections for copyright holders in the context of artificial intelligence (AI).

What was the debate about?

The Government’s commitment to protecting copyright holders remains but it argues it cannot act prematurely without completing consultations on the issue. Emphasising the importance of transparency, enforcement and remuneration, it insisted on following due process, which includes analysing over 11,500 consultation responses and establishing technical and parliamentary working groups.
Several Lords, including Baroness Kidron and Lord Berkeley of Knighton, expressed frustration at the Government’s inaction. They argued that immediate transparency measures are needed to protect copyright holders from exploitation by AI companies. The creative sector fears that AI systems are using copyrighted works without consent or compensation, which could undermine the livelihoods of artists, writers, musicians and others.

What happened?

In efforts to ensure transparency and incentivise AI developers to comply with copyright law Lord Berkeley of Knighton introduced a new amendment to the Bill requiring AI developers to disclose which copyrighted works they use for training and how they access them, unless a licence has been agreed with rights holders.

Lord Berkeley ultimately withdrew his amendment, citing a desire to maintain the dignity of the House and avoid further unnecessary divisions. However, he and others urged the Government to take the concerns of the creative industries seriously and act swiftly to address them.

What will happen next?

The Bill now awaits Royal Assent and once in force, it will reform elements of the UK GDPR and Privacy Electronic Communications Regulations – from introducing a list of recognised legitimate interests to adding new exceptions to the consent requirements for cookies and similar technologies.

It should be noted that while the UK’s adequacy decision from the EU to allow a free flow of personal data transfers has been extended to 27 December 2025, the Bill does introduce changes to the UK GDPR which ultimately leads to a departure from the EU GDPR. As such, we wait eagerly to see if it decided whether or not the UK’s data protection regime will continue to offer materially equivalent protections in order to maintain the free flow of transfers between the UK and EU.